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SECURE ELECTRONIC ENTITY INTEGRATING OBJECT LIFESPAN 

MANAGEMENT 

The invention relates to a secure electronic entity 
adapted to store one or more objects and in particular 
seeks to improve this kind of electronic entity so that 
it is able to manage a lifespan assigned to the object, 
running from a reference time of day associated with the 
object. 

References hereinafter to managing time "in" the 
electronic entity mean management independent of any 
external time measuring system, for example a clock 
signal generator or any other means of measuring time 
external to the electronic entity. 

Its specific features make the electronic entity of 
the present invention relatively inviolable. 

Throughout the remainder of the description, the 
lifespan of an object is either a total time of use of 
the object or a fixed time selected in advance and 
independent of the real time of use of the object. 

The invention may be applied to any secure 
electronic entity, for example a secure microcircuit card 
including means enabling it to be coupled at least 
temporarily to an electrical power supply to carry out 
one or more operations. The invention can in particular 
be used to manage the lifespan of the card itself or of 
objects contained in the card in the absence of a 
continuous power supply. 

The electronic entity can be a microcircuit card, 
for example, such as a bank card, an access control card, 
an identity card, a SIM card or a memory card such as a 
Panasonic SD (Secured Digital) card or a PCMCIA (Personal 
Computer Memory Card International Architecture) card, 
for example an IBM 4758 card. 



The security of an object stored in this kind of 
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electronic entity may be improved if it is possible to 
take account of the time that has elapsed since a 
reference time of day related to that object^, whether the 
object is the operating system of the card, a secret code 
5 (PIN, key, certificate) , a data file, a file system, an 
application or access rights. 

There are applications, such as Digital Rights 
Management (DRM) applications, that necessitate the use 
of a certified time, i.e. of secure time measurement. 

10 Moreover, limiting the validity time of secret data 

stored in a microcircuit card, such as a key, a 
certificate or a PIN, makes the card more secure. 

Moreover, limiting the validity time can be used to 
manage certain objects in the card, for example to manage 

15 successive versions of an application or "garbage 
collection", i.e. freeing up memory space corresponding 
to objects that are no longer used. 

As far as the applicant knows, in prior 
microcircuit cards, there is no way of measuring time 

20 securely and autonomously or to limit the validity time 
of objects stored in the card. This increases the 
probability of pirating of such objects by allowing a 
fraudster the opportunity to misuse them fraudulently, 
for example by supplying a false time indication to the 

25 card. 

An object of the present invention is to remedy 
these drawbacks by preventing an attacker fraudulently 
using a secure electronic entity or one or more objects 
stored therein. To this end, the present invention 
30 integrates into the electronic entity management of the 
duration of the ^ assigned lifespan of the object or 
objects concerned or even of the electronic entity 
itself . 

To this end, the invention proposes a secure 
35 electronic entity including means adapted to store one or 
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more objects, which entity is noteworthy in that it 
includes : 

- a unit for measuring the time that has elapsed from a 
reference time of day associated with said object, 

- a unit for storing a lifespan assigned to the object, 
the storage unit co-operating with the time measuring 
unit to compare the elapsed time and the lifespan, and 

- an updating and invalidation unit for updating 
the lifespan of the object or to render the object 
temporarily or permanently unusable if the result of said 
comparison is that the elapsed time has reached or passed 
the lifespan. 

According to the invention, the means for 
determining the elapsed time from the reference time of 
day are situated in the electronic entity, which makes it 
more secure. 

As indicated above, said lifespan either 
corresponds to the total time of real use of the object 
or is a time period independent of the total time of real 
use of the object. 

If the lifespan is independent of the total real 
time of use of the object, the reference time of day is a 
time of day that marks the beginning of the time 
measurement. It may be stored in the electronic entity, 
but this is optional. If the lifespan corresponds to the 
total real time of use of the object, the elapsed time is 
measured on each use of the object, the reference time of 
day being the time of day at which each use starts. 

The time measuring unit is advantageously adapted 
to provide a measurement of the time that has elapsed 
since the reference time of day even when the electronic 
entity is not supplied with power by an external power 
supply - 

The time measuring unit is advantageously adapted 
to supply a measurement of the time that has elapsed 
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since the reference time of day even when the electronic 
entity is not supplied with electrical power. 

The time measuring unit is advantageously adapted 
to supply a measurement of the time that has elapsed 
since the reference time of day independently of any 
external clock signal. 

In this sense, the electronic entity is autonomous 
both from the time measurement point of view and from the 
electrical power supply point of view. 

Alternatively, a battery and/or a clock can be 
provided in the electronic entity, of course. 

The time measuring unit may include means for 
comparing two times of day, a time of day generally being 
an expression of the current time, and the two times of 
day being understood in the present context as being two 
times defined relative to the same time reference, for 
example the reference time of day associated with the 
object whose lifespan is monitored by the electronic 
entity. The comparison means may compare the current time 
of day directly to the reference time of day of the 
object, which means that the remaining lifespan of the 
object may be deduced directly. Alternatively, each time 
the object is used, the comparison means may compare the 
time of day at the end of use with the time of day at the 
start of use and add the resulting time period to the 
time periods calculated for previous uses of the object. 
The comparison means then check if that cumulative time 
period is greater than the lifespan fixed for the object. 

The unit for storing the lifespan advantageously 
includes a secure entity and may be situated inside or 
outside the electronic entity. 

As mentioned in the introduction, by way of non- 
limiting example, the object may be the operating system 
of a card, a secret code (PIN, key or certificate) , a 
file or a file system, an application or access rights. 
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The reference time of day associated with the object may 
be the time of day at which the object was created in the 
electronic entity. 

In a preferred embodiment of the present invention, 
5 the secure electronic entity includes one or more 
subsystems comprising : 

- a capacitive component subject to leakage across its 
dielectric space^. means being provided for coupling said 
capacitive component to an electrical power supply to be 

10 charged by said electrical power supply, and 

- means for measuring the residual charge in the 
capacitive component, said residual charge being at least 
in part representative of the time that has elapsed since 
the capacitive component . was decoupled from the 

15 electrical power supply- 
In this case, the capacitive component of the 
subsystem cited above can be charged only when the secure 
electronic entity is coupled to the electrical power 
supply, which may be external to the secure electronic 

20 entity, although that is not essential; the electronic 
entity may instead be supplied with power by a battery in 
or on it. 

The electronic entity may be provided with means 
for decoupling the capacitive component from the 
25 electrical power supply, this event initializing the time 
measurement. 

More generally, measurement of time, i.e. variation 
of the charge in the capacitive component, begins, after 
it has been charged, as soon as the component is 
30 electrically insulative from any other circuit and can be 
discharged only across its own dielectric space. 

However, even if the residual charge measured is 
physically linked to the time that has elapsed between 
isolating the capacitive component and a given 
35 measurement of its residual charge, a measured time 
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interval may be determined between two measurements, the 
first measurement determining a reference residual 
charge, as it were. The means for measuring the residual 
charge in the capacitive component are used to determine 
5 an elapsed time. 

The capacitive component is charged during use of 
the object whose lifespan is monitored by the electronic 
entity, the term "use" being understood in the widest 
sense and including, for example, the creation of the 

10 object- During such use the means for measuring the 
residual charge provide information that is 
representative either of the elapsed time since the 
reference time of day or of the total time of use of the 
object, depending on whether the lifespan of the object 

15 is independent of the real time of use of the object. 

Moreover, the invention further enables the secure 
electronic entity to continue to measure the elapsed time 
even after it has been temporarily supplied with power 
and has then been deprived of any further electrical 

20 power supply. Thus the invention does not necessitate the 
use of a continuous electrical power supply. 

The means for measuring the residual charge may be 
included in the time measuring unit referred to above. 

In a preferred embodiment, the means for measuring 

25 the residual charge comprise a field-effect transistor 
whose gate is connected to a terminal of the capacitive 
component, i.e. to a "plate" of a capacitor. 

A capacitor of the above kind may be implemented in 
the MOS technology and its dielectric space may then 

30 consist of a silicon oxide. In this case, it is 
advantageous for the field-effect transistor also to be 
implemented in the MOS technology. The gate of the field-, 
effect transistor and the "plate" of the MOS capacitive 
component are connected together and constitute a kind of 

35 a floating gate that may be connected to a component for 
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injecting charge carriers. 

There may also be no electrical connection as such 
with the external environment. The connection of the 
floating gate may be replaced by an (electrically 
5 insulative) control gate that charges the floating gate^ 
for example by means of a tunneling effect or "hot 
carriers". The gate causes charge carriers to migrate 
toward the floating gate common to the field-effect 
transistor and the capacitive component. This technique 

10 is well known to EPROM and EEPROM manufacturers, 

The field-effect transistor and the capacitive 
component may constitute a unit integrated into a 
microcircuit contained in the secure electronic entity or 
forming part of another microcircuit housed in another 

15 secure entity, such as a server. 

At certain times, both periodic and otherwise, 
during use of the object whose lifespan is monitored by 
the secure electronic entity, when the secure electronic 
entity is coupled to an external electrical power supply, 

20 the capacitive component is charged to a predetermined 
value, which is either known or measured and stored, and 
the means for measuring the residual charge are connected 
to a terminal of the capacitive component. 

If the object is not being used, the means for 

25 measuring the residual charge, and in particular the 
field-effect transistor, are no longer supplied with 
power, but the gate of the transistor connected to the 
terminal of the capacitive component is at a voltage 
corresponding to the charge therein. 

30 If the lifespan is independent of the real time of 

use of the object throughout the period of time between 
the reference time of day associated with the object and 
the time of day of its current use, the capacitive 
component is slowly discharged across its own dielectric 

35 space with the result that the voltage applied to the 
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gate of the field-effect transistor is progressively 
reduced. 

When the electronic entity is again connected to an 
electrical power supply, if the object is used again, an 
5 electrical voltage is applied between the drain and the 
source of the field-effect transistor. This generates an 
electric current from the drain to the source (or in the 
opposite direction, as appropriate) , which current may be 
connected and analyzed. 

10 The value of the measured electrical current 

depends on the technological parameters of the field- 
effect transistor^ on the potential difference between 
the drain and the source, and the voltage between the 
gate and the substrate- The current therefore depends on 

15 charge carriers accumulated in the floating gate common 
to the field-effect transistor and to the capacitive 
component. Consequently, that drain current is also 
representative of the elapsed time between the reference 
time of day and the current time of day. 

20 The leakage current of the above kind of capacitor 

depends of course on the thickness of its dielectric 
space and on other technological parameters such as the 
contact lengths and areas of the elements of the 
capacitive component. It is also necessary to take into 

25 account the three-dimensional architecture of the 
contacts between these parts, which may induce phenomena 
modifying the parameters of the leakage current (for 
example, modification of the tunnel capacitance) . The 
type and quantity of dopants and defects may be modulated 

30 to modify the characteristics of the leakage current. 

Temperature variations, to be more precise the 
average of the calorific energy input to the secure 
electronic entity during the time of use of the object, 
also have an influence. In fact, any parameter intrinsic 

35 to the MOS technology may be a source of modulation of 
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the time measurement process. 

The thickness of the insulative layer of the field- 
effect transistor is advantageously significantly greater 
(for example approximately three times) than the 
5 thickness of the insulative layer of the capacitive 
component . 

The thickness of the insulative layer of the 
capacitive component is advantageously from 4 nanometers 
to 10 nanometers. 

10 To obtain information that is representative 

substantially of only time, in another embodiment, at 
least two subsystems as defined herein above may be 
operated "in parallel". The two temperature-sensitive 
capacitive components are designed with different leaks, 

15 all other things being equal, i.e. their dielectric 
spaces (the thickness of the silicon oxide layer) have 
different thicknesses . 

To this end, in one advantageous embodiment of the 
invention, the electronic entity defined hereinabove is 

20 noteworthy in that it includes: 

at least two of the previously mentioned subsystems 
each comprising: 

- a capacitive component subject to leakage across its 
dielectric space, 

25 - means enabling said capacitive component to be coupled 
to an electrical power supply in order to be charged by 
said electrical power supply, and 

means for measuring the residual charge in the 
capacitive component, 

30 said residual charge being at least in part 
representative of the time which has elapsed after the 
capacitive component was decoupled from the electrical 
power supply, said subsystems comprising capacitive 
components having different leaks across their respective 

35 dielectric spaces, and said secure electronic entity 
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further including means for processing respective 
measured residual charges in said capacitive components 
to extract from said measurements information 
substantially independent of heat input to said entity 
5 during the time that has elapsed since the reference time 
of day. 

For example, the processing means may include a 
table of stored time values addressed by the respective 
measurements. In other words, each pair of measurements 

10 designates a stored time value independent of temperature 
and temperature variations during the measured period. 
The electronic entity advantageously includes a memory 
associated with a microprocessor and a portion of that 
memory may be used to store the table of values. 

15 Alternatively, the processing means may include 

calculation software programmed to execute a 
predetermined function for calculating time information, 
substantially independent of calorific input, as a 
function of the two measurements cited above. 

20 The invention is particularly suitable for 

application to microcircuit cards. The secure electronic 
entity may be a microcircuit card such as a bank card, an 
access control card, an identity card, a SIM card or a 
memory card (such as a Panasonic SD card) , or may contain 

25 a microcircuit card, or may be of another type, for 
example a PCMCIA card (such as an IBM 4758 card) . 

The invention is also noteworthy by virtue of its 
level of integration. 

Further aspects and advantages of the invention 

30 will become apparent on reading the following detailed 
description of particular embodiments of the invention, 
provided by way of non-limiting example. The description 
refers to the accompanying drawings: 

- Figure 1 is a block diagram of one particular 

35 embodiment of a secure electronic entity conforming to 
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the present invention; 

- Figure 2 is a block diagram of a microcircuit 
card to which one particular embodiment of the invention 
may be applied; 

5 - Figure 3 is a theoretical diagram of a subsystem 

that one particular embodiment of the secure electronic 
entity may include; and 

- Figure 4 is a block diagram of a variant of the 
embodiment shown in Figures 1 and 2 . 

10 As shown in Figure 1, in one particular embodiment, 

a secure electronic entity 11 conforming to the present 
invention includes a non-volatile memory 23, for example 
of the EEPROM type, storing data relating to one or more 
objects, such as an operating system, a secret code (PIN, 

15 encryption key or certificate, for example), a file or a 
system of files, an application or access rights. 

One particular embodiment is described hereinafter 
in which the lifespan selected for an object is 
independent of the real time of use of that object. 

20 The electronic entity 11 contains a unit 18 for 

measuring the time that elapses from a reference time of 
day Dref associated with the object stored in the EEPROM 
23. The reference time of day may be the time of day the 
object was created in the card, for example. 

25 The time measuring unit 18 is independent of any 

external time measuring system, for example a clock 
signal generator or other means of measuring time 
external to the card. 

The secure electronic entity 11 also includes a 

30 unit 19 for storing a plurality of parameters defining 
the object whose lifespan is to be managed in the secure 
electronic entity: 

- an identifier Id of the object, 

- the above reference time of day Dref, and 

35 - a predetermined lifespan V assigned to the object. 



wo 2004/051558 



PCT/FR2003/003453 



12 

The operations that create an object naturally use 
secure mechanisms to protect the "lifespan" data item V. 

The storage unit 19 may be lumped together with the 
EEPROM 23 and is advantageously a secure memory of the 
5 electronic entity 11 that in particular is not accessible 
from the outside. Alternatively, the storage unit 19 may 
be outside the secure electronic entity 11, in a secure 
external entity. In this case, the value (s) of the 
lifespan V and/or of the identifier Id and/or the 
10 reference time of day Dref are received from the outside, 
from a "trusted" third party (approved authority) by the 
secure electronic entity 11, by means of a secure 
protocol (i.e. a protocol employing cryptography) and are 
stored at least temporarily in a secure area of the 
15 electronic entity 11. 

The secure electronic entity 11 further includes an 
updating and invalidation unit 21 controlled by the time 
measuring unit 18. 

In accordance with the present invention, the 
20 storage unit 19 cooperates with the time measuring unit 
18 to compare the elapsed time and the lifespan V, for 
example each time that the object is used or at any time 
at which the validity of the object has to be verified. 

If, after comparing the elapsed time and the 
25 lifespan V, it is apparent that the lifespan has been 
reached or passed, the updating and invalidation unit 21 
acts on the object, either to update its lifespan V in 
the storage unit 19, in order to extend the lifespan of 
the object, subject to the use of security mechanisms, or 
30 to update the object (for example by replacing an 
existing version. of the object with a new version), or to 
inhibit the functioning of the object temporarily, for a 
predetermined time period, or even to render the object 
permanently unusable . 
35 A region (for example a file) containing the time 
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of day, for example in seconds, since the reference time 
of day Dref may be provided in the memory of the secure 
electronic entity 11. 

Thereafter, before authorizing new use of the 
5 object, the time of day of the current use is compared 
with the reference time of day Dref. If the difference 
between the two times of day is equal to or greater than 
the lifespan V, the updating and invalidation unit 21 
comes into action. 
10 The invention has many possible applications, 

including : 

- limiting the lifespan of a microcircuit card as a 
function of the term of the agreement entered into by its 
user, to guarantee no hijacking and fraudulent use of the 

15 card beyond the intended time of use; 

- limiting the lifespan of a file system, in a 
similar manner; 

- commanding a periodic change by the user of the 
confidential code associated with use of the secure 

20 electronic entity; 

- defining when the validity of data contained in a 
file expires, after which reading of the data is rendered 
impossible or is at least accompanied by a warning to the 
user; 

25 - defining when the validity of an application 

expires, for example in the case of an application linked 
to a sporting, cultural or artistic event that is time- 
limited, after which the application is automatically 
eliminated; 

30 - defining when a free trial period of an 

evaluation version of software ends, after which the 
right to use the software may be extended subject to 
payment by the user and the use of a security mechanism; 

- managing electronic access rights to a piece of 
35 music, a film or the like via the Internet, in the form 
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of a fixed-charge subscription of predetermined duration 
(for example one month) or as a function of the real time 
of use of the access rights (for example ten hours of 
listening) ; 
5 - and so on. 

In the final application example referred to above, 
a user wishes to access the content of the Internet site 
of a musical content publisher for a defined time period, 
for example. To this end he purchases access rights to 

10 the musical content for a particular period, for example 
four hours. After verification, the publisher sends the 
secure electronic entity of the user a secure message 
granting listening rights for the intended time period. 
On receiving this message, the secure electronic entity 

15 creates in its memory a "listening right" object and 
initializes the lifespan V with the chosen value, i.e. 
four hours . 

On the first use of the object, i.e. on the first 
access to the musical content, the secure electronic 

20 entity verifies the presence of the "listening right" 
object and stores the time of day at which listening 
begins. The user then accesses the musical content. On 
each request for secret decryption data, the secure 
electronic entity verifies the presence of the "listening 

25 right" object and its validity as a function of the 
updated time. If the difference between the current time 
of day and the reference time of day (which in this 
example is the time of day at which listening begins) is 
less than four hours, the right is still valid and the 

30 secure electronic entity supplies the secret data, which 
is used to decrypt the musical content. On the other 
hand, if that difference is equal to or greater than four 
hours, the right is no longer valid and the secret 
decoding data is not supplied. The electronic entity can 

35 also invalidate the "listening right" object temporarily, 
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or even destroy it. 

If the user stops using the "listening right" 
object before the right expires, the lifespan of the 
object is updated as a function of the remaining time: 
5 the new value of the lifespan is equal to the previous 
lifespan less the current time of day and the time of day 
at which listening began. 

In another example of an application of the 
invention, in the field of mobile telecommunications, the 

10 secure electronic entity may be a smart card of the SIM 
card type and the object may be an SAT (SIM application 
toolkit) application as defined in particular by the GSM 
03.48 standard. The applications may be loaded at the 
time of customizing the SIM card or downloaded, either 

15 using the SMS (Short Message Service) technology, also 
defined by the GMS standard cited above, or via a reader 
connected to a computer in turn connected to a card 
management center . 

The electronic entity manages a table of SAT 

20 applications containing, for each application, an 
identifier AID of the application, a reference time of 
day (for example the time of day the application was 
created), and the lifespan of the application. 

Each time the application is started, the SIM card 

25 uses the time measuring unit to determine if the 
application is still valid. If not, i.e. if the 
difference between the current time of day and the time 
of day the application was created is equal to or greater 
than the lifespan of the application, the card sends a 

30 Delete__application (AID) administrative command and 
updates the table of SAT applications. 

Figure 2 shows one particular embodiment of a 
secure electronic entity 11 conforming to the present 
invention taking the form of a microcircuit card. The 

35 secure electronic entity 11 includes a unit 12 for 
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coupling it to an external electrical power supply 16. 

In the particular embodiment shown, the secure 
electronic entity 11 includes metal connection areas 
adapted to be connected to a unit forming a card reader. 
5 Two connection areas 13a, 13b are reserved for supplying 
electrical power to the microcircuit , the electrical 
power supply being in a server or other device to which 
the secure electronic entity is momentarily connected. 
These connection areas may be replaced by an antenna 

10 housed in the thickness of the card and adapted to supply 
the microcircuit with the electrical energy it needs as 
well as providing bidirectional transmission of radio- 
frequency signals for exchanging information. This is 
known as contact less technology. 

15 The microcircuit comprises a microprocessor 14 

conventionally associated with a memory 15. 

One particular embodiment of the secure electronic 
entity 11 includes (or is associated with) one or more 
time measuring subsystems 17. 

20 The subsystem 11 , which is shown in more detail in 

Figure 3, is therefore accommodated in the secure 
electronic unit 11. It may form part of the microcircuit 
and may be implemented in the same integration technology 
as the microcircuit. 

25 The subsystem 17 comprises a capacitive component 

20 subject to leakage across its dielectric space 24 and 
a unit 22 for measuring the residual charge in the 
component 20. 

The residual charge is at least in part 
30 representative of the time elapsed since the capacitive 
component 20 was decoupled from the electrical power 
supply, that is to say, in the present example, from the 
reference time of day Dref associated with the object 
whose lifespan is to be monitored. 
35 The capacitive component 20 is charged by the 
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external electrical power supply either via a direct 
connection, as in the present example, or by any other 
means for charging the gate. The tunnel effect is one 
method of charging the gate with no direct connection. In 
5 the present example, the microprocessor 14 controls the 
charging of the capacitive component 20. 

In the present example, the capacitive component 20 
is an MOS technology capacitor. The dielectric space 24 
of the capacitor consists of a layer of silicon oxide 

10 deposited on the surface of a substrate 26 constituting 
one plate of the capacitor. Here the substrate 26 is 
grounded, i.e. connected to one of the power supply 
terminals of the external electrical power supply when 
the latter is connected to the card. The other plate of 

15 the capacitor is a conductive deposit 28a applied to the 
other face of the layer of silicon oxide. 

The measuring unit 22 mentioned above essentially 
comprises a field-effect transistor 30, here implemented 
in the MOS technology, like the capacitor. The gate of 

20 the transistor 30 is connected to a terminal of the 
capacitive component 20. In the present example, the gate 
is a conductive deposit 28b of the same kind as the 
conductive deposit 28a which constitutes one of the 
plates of the capacitive component 20 (see above). 

25 ' "' The^- two conductive -depos-its - 28a and 28b are- 

connected together or constitute a single conductive 
deposit. A connection 32 connected to the microprocessor 
14 is used to apply a voltage to the two deposits 28a and 
28b for a short time interval to charge the capacitive 

30 component 20. The microprocessor 14 controls the 
application of this voltage. 

More generally, the connection 32 is used to charge 
the capacitive component 20 at a given time under the 
control of the microprocessor 14, and the discharging of 

35 the capacitive component 20 across its dielectric space 
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24 begins when this charging connection is broken by the 
microprocessor 14 or when the secure electronic entity 11 
as a whole is decoupled from any electrical power supply, 
this loss of electric charge being representative of the 
5 elapsed time. Measuring the time involves turning the 
transistor 30 on momentarily, which presupposes the 
presence of an electrical power supply between its drain 
and source. 

The MOS technology field-effect transistor 30 

10 includes, in addition to the gate, a gate dielectric 
space 34 separating the gate from the substrate 36, in 
which a drain region 38 and a source region 3 9 are 
defined. The gate dielectric space 34 consists of an 
insulative layer of silicon oxide. The source connection 

15 40 applied to the source region 39 is grounded and 
connected to the substrate 36. The drain connection 41 is 
connected to a drain current measuring circuit that 
includes a resistor 45 to opposite ends of which two 
inputs of a differential amplifier 46 are connected. The 

20 voltage delivered at the output of this amplifier is 
therefore proportional to the drain current. 

The gate 28b is floating while the elapsed time is 
being measured relative to the lifespan of the object. In 
other words, no voltage is applied to the gate during 

25' this measurement. On the other hand, because the gate is 
connected to one plate of the capacitive component 20, 
the gate voltage while the elapsed time is being measured 
is equal to a voltage that develops between the terminals 
of the capacitive component 20, starting from "^n initial 

30 charging therein carried out under the control of the 
microprocessor 14 during the last use of the object. 

The insulative layer of the transistor 30 is 
significantly thicker than that of the capacitive 
component 20. By way of non-limiting example, the 

35 thickness of the insulative layer of the transistor 30 
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may be about three times the thickness of the insulative 
layer of the capacitive component 20. Depending on the 
application envisaged, the thickness of the insulative 
layer of the capacitive component 20 is from about 4 
5 nanometers to about 10 nanometers. 

When the capacitive component 20 is charged by the 
external electrical power supply, and after the charging 
connection has been broken at the command of the 
microprocessor 14, the voltage across the capacitive 
10 component 20 decreases slowly as the latter is 
progressively discharged across its own dielectric space 
24. Given its thickness, the discharge across the 
dielectric space 34 of the field-effect transistor 30 is 
negligible . 

15 By way of non-limiting example, for a given 

dielectric space thickness, if the gate and the plate of 
the capacitive component 20 are charged to 6 volts at a 
time t = 0, the time associated with a loss of charge of 
1 volt, i.e. to a reduction of the voltage to 5 volts, is 

20 of the order of 24 seconds for a thickness of 
8 nanometers. 

The times for other thicknesses are set out in the 
following table: 



Time - " • ^ ^ 


1 hour 


1 day 


- 1 - week- 


-1- month-- 


Oxide thickness 


8.17 nm 


8.79 nm 


9 . 1 7 nm 


9.43 nm 


Time accuracy 


1. 85% 


2.09% 


2.24% 


3.10% 



The accuracy depends on the error in reading the 
drain current (approximately 0.1%). Accordingly, to be 
able to measure times of the order of one week, a 
dielectric space layer thickness of the order of 
30 9 nanometers may be required. 

Figure 3 shows one particular architecture that 
uses a direct connection to the floating gate (28a, 28b) 
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to apply an electric potential thereto and therefore to 
cause charges to transit. Another option is indirect 
charging^ as mentioned above^ by means of a control gate 
replacing the direct connection, using the technology 
5 employed to fabricate EPROM or EEPROM cells. 

The Figure 4 variant provides three subsystems 17A, 
llBr 17C each associated with the microprocessor 14. The 
subsystems 17A and 17B comprise capacitive components 
with relatively slow leakage to enable measurement of 

10 relatively long times. 

However, these capacitive components are generally 
sensitive to temperature variations. The third subsystem 
17C includes a capacitive component having a very thin 
dielectric space (less than 5 nanometers thick) . It is 

15 therefore insensitive to temperature variations. The two 
capacitive components of the subsystems 17A, 17B have 
different leakages across their respective dielectric 
spaces . 

Moreover, the secure electronic entity includes a 

20 module for processing respective residual charge 
measurements present in the capacitive components of the 
first two subsystems 17A, 17B. This processing module is 
adapted to extract from these measurements information 
that is representative of time and substantially 

25 independent of heat input to the secure electronic entity 
during the time elapsed since the reference time of day. 

In the present example, this processing module is 
lumped together with the microprocessor 14 and the memory 
15. In particular, space is reserved in the memory 15 for 

30 storing a double-entry table T of time values that is 
addressed by means of the respective measurements from 
the subsystems 17A and 17B. In other words, a portion of 
the memory includes a set of time values and each value 
corresponds to a pair of measurements resulting from 

35 reading the drain current of each of the two transistors 
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of the temperature-sensitive subsystems 17A, 17B. 

Accordingly, the two capacitive components are 
charged to a predetermined voltage by the external 
electrical power supply via the microprocessor 14 at the 
5 beginning of measuring the elapsed time. When the 
microcircuit card is decoupled from the server, card 
reader or other entity, the two capacitive components 
remain charged but begin to discharge across their 
respective dielectric spaces and, as time passes without 
10 the microcircuit card being used, the residual charge in 
each of the capacitive components decreases, but 
differently in the two components, because of the 
different leakage rates resulting from their respective 
designs . 

15 When the card is again coupled to an external 

electrical power supply, for example on the occasion of a 
new use of the object, the residual charges in the two 
capacitive components are representative of the same time 
interval to be determined, but different because of any 

20 temperature variations that may have occurred during this 
time period. 

'When the object is used again, the two field-effect 
transistors of the two subsystems are supplied with 
energy and the drain current values are read and 
. ,2.5- - .processed. .b_y the. micrpcircuit.. Fpr__each pair_ of , values of 
the drain current, the microcircuit looks for the 
corresponding time value in memory, in the table T 
mentioned above. That time value is then compared to the 
lifespan V and use of the object is authorized only if 
30 the elapsed time is less than the lifespan V. 

Alternatively, this time value may be compared to a 
value available in the server, card reader or some other 
(and preferably secure) entity. Moreover, use of the 
object may be authorized only if the elapsed time 
35 respects the lifespan of the object and the time value 
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obtained in the card (for example the time value stored 
in the table T) is compatible with the value available in 
the server or card reader or other entity, i.e. if the 
two values also coincide or are relatively close 
5 together, within a preselected tolerance. 

It is not necessary to store the table T. For 
example, the processing module, i.e. essentially the 
microprocessor 14, may include software for calculating a 
predetermined function for determining said information 

10 as a function of the two measurements and substantially 
independently of the heat input. 

As described above, the third subsystem 17C 
includes an extremely thin dielectric space making it 
insensitive to temperature variations. 

15 Other variants are feasible. In particular, to 

simplify the subsystem 17, the capacitive component 20 as 
such may be eliminated, because the field-effect 
transistor 30 may be considered as a capacitive component 
with the gate 28b and the substrate 36 as its plates, 

20 separated by the dielectric space 34. In this case, the 
capacitive component and the measuring unit may be 
regarded as lumped together. 

There are a number of options for preserving the 
time indication between successive uses of the object . 

25 A first option is to charge the cell that measures 

time once, when the object is created- On each attempt to 
use the object, the charge in the time measuring cell is 
representative of the time that has elapsed since the 
creation of the object. That time is compared to the 

30 lifespan assigned to the object and use of the object is 
authorized only if the elapsed time does not exceed the 
lifespan , 

A second option is to recharge the cell each time 
that the secure electronic entity is switched on. Thus 
35 shorter times are measured, and are accumulated: each 
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time the secure electronic entity is switched on, the 
time elapsed since the last time the secure electronic 
entity was switched on is measured, after which the 
capacitive component is recharged. The times measured in 
5 this way are accumulated in a location of the non- 
volatile memory of the electronic entity. 

That memory location therefore stores the time 
elapsed since the first time the secure electronic entity 
was switched on, and so it is possible to determine at 

10 any time the time that has elapsed since the reference 
time of day, independently of the total real time of use 
of the object. 

It is advantageous to use a single capacitive 
component for a plurality of objects. This has the 

15 advantage of using a single capacitive component having a 
relatively thin oxide layer, which makes time measurement 
more accurate compared to using a single component for 
the whole of the lifespan of the electronic entity. 

The time that elapses between the time of measuring 

20 the charge on the capacitive component and the time that 
it is recharged is sometimes non-negligible. To take 
account of this, a second component may be used whose 
function is to take over from the first during this time 
interval . 

25 Capacitive components of different accuracy may 

also be used to improve the accuracy of the measurement; 
from a plurality of measurements, the measurement 
obtained from the most accurate component that has not 
been discharged is chosen. 

30 A third option is to use one capacitive component 

for each object, recharged at the beginning of the 
lifespan of the object. An advantage of this option is 
that time measurement components may be used that are 
adapted to the lifespan of the object in question, for 

35 improved accuracy of time measurement; the table 
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hereinabove shows that the selected oxide thickness in 
the time measuring cell impacts on measurement accuracy. 

On each attempt to use the object, the state of 
charge of the capacitive component associated with the 
5 object is representative of the time that has elapsed 
since the object was created. That time is compared to 
the lifespan assigned to the object and use of the object 
is authorized only if the elapsed time does not exceed 
the lifespan - 

10 Alternatively, the lifespan may correspond to the 

total time of real use of the object, in which case, each 
time the object is used, the time elapsed between 
starting and ending its use is measured and stored, and 
all the times measured in this way are accumulated; thus 

15 the total elapsed time that is measured corresponds to 
the total time of real use of the object. 

Other variants are feasible that will be obvious to 
the person skilled in the art. 

Thus, according to the invention, the use of the 

20 time counter within the card improves security since 
downcounting time is difficult to falsify. 



